CVE-2026-52750 Overview
CVE-2026-52750 is a command injection vulnerability in Ghidra versions prior to 12.1 on Windows. The flaw resides in the URL annotation handler, which fails to escape cmd.exe metacharacters when launching the system browser. Attackers can embed malicious URLs inside program comments or annotations. When a victim clicks the annotation, Windows executes attacker-controlled commands under the Ghidra user's privileges. The issue is tracked under CWE-88: Improper Neutralization of Argument Delimiters. Ghidra is the National Security Agency's open-source software reverse engineering suite, widely used by malware analysts and vulnerability researchers who routinely open untrusted binaries.
Critical Impact
Opening a malicious Ghidra project or clicking a crafted URL annotation triggers arbitrary command execution on Windows hosts.
Affected Products
- Ghidra versions before 12.1 on Windows
- NSA Ghidra reverse engineering framework
- Workstations running Ghidra projects shared from untrusted sources
Discovery Timeline
- 2026-06-10 - CVE-2026-52750 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-52750
Vulnerability Analysis
The vulnerability stems from unsafe construction of a Windows command line when Ghidra opens a URL referenced inside a program annotation or comment. On Windows, Ghidra invokes the default browser through cmd.exe, which interprets shell metacharacters such as &, |, ^, and %. The URL handler passes user-controlled annotation content into the command string without quoting or neutralizing these characters. An attacker who can supply a Ghidra project, archive, or shared analysis file embeds a crafted URL inside a comment. When the analyst clicks the hyperlink in the listing or decompiler view, cmd.exe parses the embedded metacharacters and executes the appended commands. Execution occurs in the security context of the Ghidra user, which on analyst workstations frequently holds local administrative rights or access to sensitive sample repositories.
Root Cause
The handler concatenates annotation strings into a cmd.exe /c start <url> invocation without applying argument escaping. Because cmd.exe treats & and | as command separators, any metacharacter in the URL terminates the intended start command and begins a new one parsed by the shell.
Attack Vector
Exploitation requires local user interaction. An attacker distributes a Ghidra project, .gzf archive, or shared listing containing a comment with an embedded URL such as https://example.com/&calc.exe. When the analyst clicks the annotation, Windows executes the trailing payload. No authentication or elevated privileges are required on the attacker side beyond convincing the victim to open the project and click the link. See the GitHub Security Advisory GHSA-5c38-3rf3-gp75 and the VulnCheck advisory for additional technical detail.
Detection Methods for CVE-2026-52750
Indicators of Compromise
- Child processes of ghidraRun.bat, javaw.exe, or the Ghidra JVM spawning cmd.exe followed by unexpected binaries such as powershell.exe, certutil.exe, or rundll32.exe
- URL strings inside Ghidra .gzf archives or XML exports containing shell metacharacters (&, |, ^, backticks)
- Outbound network connections initiated immediately after a Ghidra annotation click event
Detection Strategies
- Hunt for process trees where a Java process associated with Ghidra is the parent of cmd.exe with command lines containing start and additional chained commands.
- Inspect Ghidra project archives received from external sources for annotations whose URL fields contain non-URL metacharacters.
- Correlate user-initiated clicks in Ghidra with subsequent cmd.exe invocations on the same host within a short time window.
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) with command-line logging on analyst workstations.
- Forward Sysmon Event ID 1 telemetry to a central analytics platform and alert on Ghidra JVM child processes that are not browser executables.
- Restrict the import of untrusted Ghidra projects to isolated, monitored virtual machines.
How to Mitigate CVE-2026-52750
Immediate Actions Required
- Upgrade Ghidra to version 12.1 or later on all Windows analyst workstations.
- Avoid opening Ghidra projects, archives, or shared listings received from untrusted sources until patched.
- Audit existing projects for annotations containing URLs with shell metacharacters and remove or sanitize them.
Patch Information
The National Security Agency addressed the issue in Ghidra 12.1 by properly escaping arguments passed to the Windows browser launch routine. Patch details and affected commits are referenced in GHSA-5c38-3rf3-gp75.
Workarounds
- Run Ghidra inside a dedicated, non-privileged Windows account or an isolated virtual machine when handling untrusted samples.
- Do not click URL annotations in projects of unknown provenance; copy the URL text and inspect it manually before navigation.
- Apply Windows AppLocker or Windows Defender Application Control rules to block cmd.exe child processes spawned by the Ghidra JVM.
# Example AppLocker-style restriction: block cmd.exe spawned by javaw.exe used for Ghidra
# Audit Sysmon rule (XML excerpt) for detection engineering
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="include">
<ParentImage condition="end with">javaw.exe</ParentImage>
<Image condition="end with">cmd.exe</Image>
</ProcessCreate>
</EventFiltering>
</Sysmon>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

